Patched on Windows 10 v21H2 Build 19044.1826 ?

[GetRektBoy724]

The payload DLL was not loaded, the program is running as Administrator and Im pretty sure architecture match and AV is not the problem. I also tested the program at Windows 10 v21H2 Build 19044.1288 and its still working fine.

[aaaddress1]

got the same problem here.

[itm4n]

Thank you @GetRektBoy724 for the heads up! 👍 I investigated this issue and I think I found why the payload DLL is not loaded anymore. I will probably write a blog post about it.

[GetRektBoy724]

@itm4n Absolutely no problem, glad i can help. Waiting for the blog post :D

[itm4n]

The Known DLL trick was indeed fixed in the build version 10.0.19044.1826. My analysis here: https://itm4n.github.io/the-end-of-ppldump/.

[xennn]

The Known DLL trick was indeed fixed in the build version 10.0.19044.1826. My analysis here: https://itm4n.github.io/the-end-of-ppldump/.

Do you know if Microsoft has a KB patch for it? Or is it only present in the new build? There is nothing to be found at Microsoft about a patch for the NTDLL

[itm4n]

PP/PPL bypasses (even as a non-admin user) are not serviceable issues so I would imagine there is no associated KB. (See "Protected Process Light (PPL)" here: https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria).

[GetRektBoy724]

@xennn this is the KB patch I guess. And as you can see there, the highlights are "Addresses security issues for your Windows operating system." and obviously Microsoft wouldn't say "A patch on NTDLL for preventing KnownDLLs hijacking on PP/PPLs processes" cause the public wouldn't understand :joy: https://support.microsoft.com/en-au/topic/july-12-2022-kb5015807-os-builds-19042-1826-19043-1826-and-19044-1826-8c8ea8fe-ec83-467d-86fb-a2f48a85eb41

[GetRektBoy724]

And maybe, you can uninstall the KB patch update using wusa /uninstall /kb:HotFixID